Go directly to contents.
Suomi.fi e-Identification

Quick guide for troubleshooting authentication and logout requests

This guide describes what to do in different error situations.

Use the SAML tracer extension to monitor the SAML traffic.

General instructions

  • SAML messages must be signed. Make sure that your application signs all SAML messages.
  • SAML message signatures must be verified to validate the origin of the message. Make sure that all SAML message signatures are verified.
  • SHA1-based algorithms are not supported by Suomi.fi. Make sure that you are using a SHA256 or higher algorithm to sign messages.
  • The default algorithm for encrypting a return message from Suomi.fi e-Identification is AES-GCM. AES-CBC is available for the time being.

Authentication request

Authentication requests receive a 500-series error "coreidpshib" reply immediately after the authentication request is sent:

  1. Check that the authentication request (AuthnRequest) "Issuer" matches the entity registered in the metadata (entityID). Keep in mind that this is case sensitive.
  2. Check that the authentication request return address "AssertionConsumerServiceURL" (if specified) matches the value specified in the metadata field 'AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=...'. If the return address is not referenced, check whether there is a default return address in the metadata or if the authentication request's return address index number is correct in the metadata.
  3. Check that the certificate in the metadata opens using the certificate tool AND that the certificate can be used to decrypt the authentication request signature.
  4. Check that the authentication request is sent to the correct address according to the POST/Redirect profile (as defined in idp-metadata.xml)
  5. Check that the ProtocolBinding value specified in the authentication request is 'POST'.

Error selecting authentication tool

 The authentication request is approved and the user is directed to select the authentication tool. However, an error occurs when the authentication tool is selected:

  1. Check if the requirement for authentication request tokens is "exact": the requirement conflicts with the devices/levels specified in the metadata.
  2. Delete the configuration or correct it to match the one specified in the metadata.

Decryption of an authentication response

If the authentication response cannot be decrypted:

  1. Check that the AES-GCM algorithm can be used to decrypt the authentication response.
  2. Check that the correct certificate is registered in the metadata for encrypting the authentication response.

Logout

Logging out through your service

Unable to log out, Suomi.fi e-Identification returns a generic 500-series error "coreidpshib".

  1. Back-channel logout is not supported. Send a logout request through the user's browser and direct the user to the logout page.
  2. Check if the logout request has been signed with the corresponding certificate in the metadata.
  3. Check if the logout request contains the NameID and Sessionindex information received in the authentication response.
  4. Check if the message is sent to the logout address (SLO) indicated in idp-metadata.xml.

Logging out through another service

Logout is successful, but the Suomi.fi e-Identification logout page indicates that you are being logged out of your service.

  1. Check if the "success" status message is signed.
  2. Check if browser or server settings prevent a status message from being sent.
Updated: 16/1/2026

Are you satisfied with the content on this page?